Palo Alto LLDP Neighbors

I just configured LLDP, the Link Layer Discovery Protocol, on a Palo Alto Networks firewall. What I really like about those firewalls is the completeness of configuration capabilities while the possibility to use it easily. Everything can be done via the GUI, even the view of neighbors/peers. Per default, only a few TLVs are sent by the Palo, but this can be extended by using LLDP profiles.

Following are a few configuration screenshots from the Palo as well as the config and show commands from a Cisco switch.

The following documentation was made with a PA-3020 cluster with PAN-OS 8.0.1 and two Cisco C3750 switches (C3750-IPBASEK9-M), Version 12.2(50)SE3.

LLDP without Profiles

LLDP must be enabled globally and on every (hardware) interface it should run. In high availability environments the checkmark “Enable in HA Passive State” can be ticked to also run it on the passive unit (recommended). Note that I am not using the LLDP profiles so far (but later). The peers can then be viewed through the GUI:

Enable LLDP globally.

And on every interface.

View the peers on the GUI.

As well as more details about the peers.

To enable LLDP on a Cisco switch, issue the following command in global configuration mode:
lldp run.

Without the LLDP profiles on the Palo Alto firewall the “show” commands on the Cisco switch reveal almost nothing ;) but only the MAC address and the connected port ID from the Palo Alto:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

---SW1 connected toactive Palo Alto---

PA-TESTSW01#show lldp neighbors

Capability codes:

(R)Router,(B)Bridge,(T)Telephone,(C)DOCSIS Cable Device

(W)WLAN Access Point,(P)Repeater,(S)Station,(O)Other

Device IDLocal Intf Hold-timeCapability Port ID

001b.17eb.830cGi1/0/3120ethernet1/15

PA-TESTSW02 Fa1/0/48120BFa1/0/48

Total entries displayed:2

PA-TESTSW01#

PA-TESTSW01#

PA-TESTSW01#show lldp neighbors gi1/0/3 detail

------------------------------------------------

Chassis id:001b.17eb.830c

Port id:ethernet1/15

Port Description-notadvertised

System Name-notadvertised

System Description-notadvertised

Timeremaining:110seconds

System Capabilities-notadvertised

Enabled Capabilities-notadvertised

Management Addresses-notadvertised

Auto Negotiation-notsupported

Physical media capabilities-notadvertised

Media Attachment Unit type-notadvertised

Vlan ID:-notadvertised

Total entries displayed:1

PA-TESTSW01#

---SW2 connected topassive Palo Alto---

PA-TESTSW02#show lldp neighbors

Capability codes:

(R)Router,(B)Bridge,(T)Telephone,(C)DOCSIS Cable Device

(W)WLAN Access Point,(P)Repeater,(S)Station,(O)Other

Device IDLocal Intf Hold-timeCapability Port ID

PA-TESTSW01 Fa1/0/48120BFa1/0/48

001b.17eb.6fa2Gi1/0/3120ethernet1/15

54ee.753c.c613Fa1/0/47360154ee.753c.c613

Total entries displayed:3

PA-TESTSW02#

PA-TESTSW02#

PA-TESTSW02#show lldp neighbors gi1/0/3 detail

------------------------------------------------

Chassis id:001b.17eb.6fa2

Port id:ethernet1/15

Port Description-notadvertised

System Name-notadvertised

System Description-notadvertised

Timeremaining:119seconds

System Capabilities-notadvertised

Enabled Capabilities-notadvertised

Management Addresses-notadvertised

Auto Negotiation-notsupported

Physical media capabilities-notadvertised

Media Attachment Unit type-notadvertised

Vlan ID:-notadvertised

Total entries displayed:1

PA-TESTSW02#

There is also a show command on the Palo side which shows much more information from the Cisco switch, since it sends more data per default: